The following reply was made to PR pkg/32398; it has been noted by GNATS.
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: OBATA Akio <obache@NetBSD.org>
Cc: gnats-bugs@NetBSD.org, mark@mcs.vuw.ac.nz
Subject: Re: pkg/32398: Maintainer update: net/ipa 1.3.6 -> sysutils/ipa 2.0
Date: Wed, 18 Oct 2006 16:34:45 +0300
On Wed, Oct 18, 2006 at 09:06:40PM +0900, OBATA Akio wrote:
> > Right now there is not any accounting module, which can be used on
> > NetBSD. Nevertheless, there is database module ipa_sdb, which can be
> > used on any Unix-like system and there is ipactl utility, which can
> > provide statistics.
>
> then, until ipa-2.x's modules is ready, we should keep ipa-1.x, aren't we?
I'm going to send PR to add ipa_sdb module (simple database module,
record based database) to pkgsrc, so database module is ready.
I do not support ipa-1.x any more and since pf and ipfil are quickly
developed, 1.x version cannot be used on newer systems. There are some
difficulties in accounting modules implementation for pf and ipfil.
Even without accounting module it is possible to use ipa, for example
if there is following simple ipa.conf:
db_mod "/usr/local/lib/ipa_db_sdb.so";
ctl_enable = yes;
global {
db_list = sdb;
}
rule lan {
limit 1 {
limit = 100M;
restart {
restart = +M;
}
reach {
exec "/somewhere/reach.sh";
}
expire {
expire = +M;
exec "/somewhere/expire.sh";
}
}
}
then it is possible to give statistics to this rule from ipactl:
% ipactl -r lan set counter +12M
When statistics reaches 100M (the value of limit), then reach.sh
will be run and at the end of month (expire=+M value) expire.sh will be
run and limit will restarted. If limit is not reached, then it will be
restarted anyway at the end of month (restart=+M value).
For example, ipactl can be run from some script, which uses pfctl
to retrieve statistics from PF.